This code a fork of `Rackspace's python-novaclient`__ which is in turn a forkof `Jacobian's python-cloudservers`__. The python-keystoneclient is licensedunder the Apache License like the rest of OpenStack.

Installing this package gets you a shell command, ``keystone``, that you canuse to interact with OpenStack's Identity API.

You'll need to provide your OpenStack tenant, username and password. You can dothis with the ``--os-tenant-name``, ``--os-username`` and ``--os-password``params, but it's easier to just set them as environment variables::

Alternatively, to bypass username/password authentication, you can provide apre-established token. In Keystone, this approach is necessary to bootstrap theservice with an administrative user, tenant & role (to do so, provide theclient with the value of your ``admin_token`` defined in ``keystone.conf`` inaddition to the URL of your admin API deployment, typically on port 35357)::

Since the Identity service can return multiple regions in the service catalog,you can specify the one you want with ``--os-region-name`` (or ``exportOS_REGION_NAME``)::

export OS_REGION_NAME=north

.. WARNING::

If a region is not specified and multiple regions are returned by the Identity service, the client may not access the same region consistently.

If you need to connect to a server that is TLS-enabled (the auth URL beginswith 'https') and it uses a certificate from a private CA or a self-signedcertificate you will need to specify the path to an appropriate CA certificateto use to validate the server certificate with ``--os-cacert`` or anenvironment variable::

export OS_CACERT=/etc/ssl/my-root-cert.pem

Certificate verification can be turned off using ``--insecure``. This shouldbe used with caution.

Positional arguments: <subcommand> catalog ec2-credentials-create Create EC2-compatible credentials for user per tenant ec2-credentials-delete Delete EC2-compatible credentials ec2-credentials-get Display EC2-compatible credentials ec2-credentials-list List EC2-compatible credentials for a user endpoint-create Create a new endpoint associated with a service endpoint-delete Delete a service endpoint endpoint-get endpoint-list List configured service endpoints password-update Update own password role-create Create new role role-delete Delete role role-get Display role details role-list List all roles service-create Add service to Service Catalog service-delete Delete service from Service Catalog service-get Display service from Service Catalog service-list List all services in Service Catalog tenant-create Create new tenant tenant-delete Delete tenant tenant-get Display tenant details tenant-list List all tenants tenant-update Update tenant name, description, enabled status token-get user-create Create new user user-delete Delete user user-get Display user details. user-list List users user-password-update Update user password user-role-add Add role to user user-role-list List roles granted to a user user-role-remove Remove role from user user-update Update user's name, email, and enabled status discover Discover Keystone servers, supported API versions and extensions. bootstrap Grants a new role to a new user on a new tenant, after creating each. bash-completion Prints all of the commands and options to stdout. help Display help about this program or one of its subcommands.

Optional arguments: --version Shows the client version and exits --timeout <seconds> Set request timeout (in seconds) --os-username <auth-user-name> Name used for authentication with the OpenStack Identity service. Defaults to env[OS_USERNAME] --os-password <auth-password> Password used for authentication with the OpenStack Identity service. Defaults to env[OS_PASSWORD] --os-tenant-name <auth-tenant-name> Tenant to request authorization on. Defaults to env[OS_TENANT_NAME] --os-tenant-id <tenant-id> Tenant to request authorization on. Defaults to env[OS_TENANT_ID] --os-auth-url <auth-url> Specify the Identity endpoint to use for authentication. Defaults to env[OS_AUTH_URL] --os-region-name <region-name> Defaults to env[OS_REGION_NAME] --os-identity-api-version <identity-api-version> Defaults to env[OS_IDENTITY_API_VERSION] or 2.0 --os-token <service-token> Specify an existing token to use instead of retrieving one via authentication (e.g. with username & password). Defaults to env[OS_SERVICE_TOKEN] --os-endpoint <service-endpoint> Specify an endpoint to use instead of retrieving one from the service catalog (via authentication). Defaults to env[OS_SERVICE_ENDPOINT] --os-cacert <ca-certificate> Specify a CA bundle file to use in verifying a TLS (https) server certificate. Defaults to env[OS_CACERT] --insecure Explicitly allow keystoneclient to perform "insecure" TLS (https) requests. The server's certificate will not be verified against any certificate authorities. This option should be used with caution. --os-cert <certificate> Defaults to env[OS_CERT] --os-key <key> Defaults to env[OS_KEY] --os-cache Use the auth token cache. Defaults to env[OS_CACHE] --force-new-token If the keyring is available and in use, token will always be stored and fetched from the keyring until the token has expired. Use this option to request a new token and replace the existing one in the keyring. --stale-duration <seconds> Stale duration (in seconds) used to determine whether a token has expired when retrieving it from keyring. This is useful in mitigating process or network delays. Default is 30 seconds.